topic Re: CISCO ASA: Unable to connect to DMZ in Network Security

CISCO ASA: Unable to connect to DMZ

lonskinini — Mon, 11 Mar 2019 15:34:16 GMT

Hi,

I have setup a network below:

LAN <==> Cisco ASA) <==> Internet

DMZ

I'm having problem connecting (ping) from Internal to hosts on the DMZ.

My plan is to allow all hosts on Internal to connect (ping) to DMZ. IP Address on Internal should not be natted on DMZ.

And allow some of the host to connect to Internal hosts. No natting also.

Below is my current configuration:

=======================

ciscoasa(config)# sh run

: Saved

ASA Version 8.0(2)

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.253 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

pager lines 24

logging asdm informational

mtu external 1500

mtu internal 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,dmz) 172.31.0.0 172.31.0.0 netmask 255.255.248.0

access-group ping in interface external

access-group ping in interface dmz

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999

: end

====================

Sorry, I'm new to cisco and I am eager to learn cisco.

Hope you can help me.

Thanks,

Lonski

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Tue, 19 May 2009 23:55:09 GMT

Sorry, DMZ is directly connected to Cisco ASA.

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Tue, 19 May 2009 23:58:54 GMT

Hi,

Does not look like your allowing echo. Try adding this command to your ACL..

access-list ping extended permit icmp any any echo

HTH

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 00:12:57 GMT

Hi Mike,

Thanks for the advise.

I have just added the acl but it still giving me same result.

Is there anything I should add with nat or route?

Thanks again.

Lonski

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Wed, 20 May 2009 00:19:59 GMT

Hi,

Can you post a show access-list. Also can you ping the DMZ and internal hosts from the ASA?

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 00:30:35 GMT

Hi Mike,

Here it is:

Ping from ASA to DMZ host (192.168.0.180)

--------------------

ciscoasa(config-if)# ping 192.168.0.180

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.180, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

--------------------

Ping from ASA to Internal (172.31.26.65)

-------------------

ciscoasa(config)# ping 172.31.26.65

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.26.65, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

-------------------

Access-list:

--------------------

ciscoasa(config-if)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list ping; 4 elements

access-list ping line 1 extended permit icmp any any echo-reply (hitcnt=8) 0x6431b796

access-list ping line 2 extended permit icmp any any time-exceeded (hitcnt=72) 0x406ef9e9

access-list ping line 3 extended permit icmp any any unreachable (hitcnt=17) 0x45fe8bbe

access-list ping line 4 extended permit icmp any any echo (hitcnt=0) 0x931c70e

--------------------

Hope this helps.

Thanks

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Wed, 20 May 2009 00:36:00 GMT

Your static looks like it's the wrong subnet. Remove the current static and add this one..

static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 00:58:17 GMT

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.28.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 00:58:31 GMT

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.29.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 00:58:31 GMT

Hi Mike,

I have replaced the static base from your suggestion but it has still same result.

By the way, this is the range of ip address of the internal:

172.31.24.0 - 172.31.24.255

172.31.25.0 - 172.31.25.255

172.31.26.0 - 172.31.26.255

172.31.27.0 - 172.31.27.255

172.31.28.0 - 172.31.28.255

172.31.29.0 - 172.31.29.255

172.31.30.0 - 172.31.30.255

172.31.31.0 - 172.31.31.255

Thanks

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Wed, 20 May 2009 01:34:44 GMT

OK. What is the default gateway of the machine on the internal network you were able to ping from the ASA (172.31.26.65 )?

IS the ASA the gateway for the DMZ subnet?

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 01:50:02 GMT

The default gateway of internal host is the address of ASA on internal(172.31.24.253) and default gateway of DMZ host is also the address of ASA in DMZ (192.168.0.253).

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 01:54:24 GMT

Just to add:

I can ping from DMZ host the address of the DMZ gateway (192.168.0.253)

Thanks

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Wed, 20 May 2009 02:06:19 GMT

Can you issue a clear xlate and try and ping again? Can you also post the running config again.

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 02:12:13 GMT

Done clearing xlate... same result 😞

Here's the updated config:

----------------

ciscoasa(config)# sh run

: Saved

ASA Version 8.0(2)

hostname ciscoasa

enable password Qe0yKBKYpRMBmOsL encrypted

names

interface Ethernet0/0

nameif external

security-level 0

ip address 116.xyz.xyz.228 255.255.255.192

interface Ethernet0/1

nameif internal

security-level 100

ip address 172.31.24.253 255.255.248.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.253 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list ping extended permit icmp any any echo-reply

access-list ping extended permit icmp any any time-exceeded

access-list ping extended permit icmp any any unreachable

access-list ping extended permit icmp any any echo

pager lines 24

logging asdm informational

mtu external 1500

mtu internal 1500

mtu management 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (external) 1 interface

nat (internal) 1 0.0.0.0 0.0.0.0

static (internal,dmz) 172.31.24.0 172.31.24.0 netmask 255.255.248.0

access-group ping in interface external

access-group ping in interface dmz

route external 0.0.0.0 0.0.0.0 116.xyz.xyz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:2f8ad3795ba88821b7fd8294ed015999

: end

--------------------

Thanks,

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Wed, 20 May 2009 02:15:31 GMT

Remove the ping ACL from the external interface and apply it to the dmz interface and try again.

no access-group ping in interface external

access-group ping in interface dmz

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 02:26:47 GMT

Hi Mike,

I tried removing 'access-group ping in interface external' and the result is it will not let me ping internet (ie. google.com)

I tried issuing 'access-group ping in interface dmz' but still same result. I'm unable to ping from internal to dmz.

Thanks,

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Wed, 20 May 2009 02:27:42 GMT

Sorry, it's already on your DMZ interface. Forget my last post.

Re: CISCO ASA: Unable to connect to DMZ

mike-greene — Wed, 20 May 2009 02:54:44 GMT

You can remove this command..

access-list ping extended permit icmp any any echo

Other then that the config looks ok to me. ... It is late though and it's been a long day.

The only other item I can think of to check tonight is the routing tables on the internal and DMZ systems to make sure there not sending the traffic somewhere else.. I believe the command is route print on a Microsoft box.

Re: CISCO ASA: Unable to connect to DMZ

lonskinini — Wed, 20 May 2009 03:54:32 GMT

Hi Mike,

Yeah, it's been a long day.

Just a thought, do we need to change from static to dynamic nat?

I'm not sure, I'm thinking that internal is unable to communicate with dmz because it is from different subnet since we used the static nat. ??? not so sure. 😃

Thanks